On August 8th the judicial departments of the Appellate Division of the New York State Supreme Court announced that it was adopting a new CLE requirement that had been recommended two years prior by the New York State Bar Association’s Committee on Technology and the Legal Profession. This mandate requires New York Barred attorneys complete 1 hour of Cybersecurity CLE (Continuing Legal Education) every 2 years. They can choose to complete this CLE in two arenas, either the ethics obligations concerning cybersecurity:
Cybersecurity, Privacy and Data Protection-Ethics must relate to lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication and may include, among other things: sources of lawyers’ ethical obligations and professional responsibilities and their application to electronic data and communication; protection of confidential, privileged and proprietary client and law office data and communication; client counseling and consent regarding electronic data, communication and storage protection policies, protocols, risks and privacy implications; security issues related to the protection of escrow funds; inadvertent or unauthorized electronic disclosure of confidential information, including through social media, data breaches and cyber attacks; and supervision of employees, vendors and third parties as it relates to electronic data and communication.
Or the practice related concerns around cybersecurity:
Cybersecurity, Privacy and Data Protection-General must relate to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication (including sending, receiving and storing electronic information; cybersecurity features of technology used; network, hardware, software and mobile device security; preventing, mitigating, and responding to cybersecurity threats, cyber attacks and data breaches); vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols.
This requirement will go into effect in January of 2023 and does not raise the total number of CLE hours required for attorneys. The rule for technological competence was introduced in 2012 and adopted by 40 states thus far, but only two other states mandate CLE classes related to technology: Florida and North Carolina. Neither of those states have New York's new and unique focus on Cybersecurity, however.
Our Cyber Security Experts at Evidence Solutions applaud this new requirement for New York State attorneys, and hope to see it implemented in other states. A more in depth article on this topic appeared in the AZ Bar Magazine earlier this year, but suffice to say that Law Firms are unique targets for bad actors due to the sensitivity of the information they hold electronically and also due to their frequently inadequate cybersecurity protocols. Ensuring that legal professionals have the most up-to-date cybersecurity protocols and current understanding of the threats they may face is a great step in the right direction.
